Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

PwnedList Shutdown Unrelated to Recent Vulnerability

PwnedList’s decision to shut down its free credential monitoring service had nothing to do with a recent vulnerability that exposed its collection of 866 compromised credentials.

PwnedList, an online service that allows subscribers to monitor whether their credentials have been leaked in data breaches, said on Thursday that its decision to shut down has nothing to do with a serious vulnerability that exposed its collection of 866 million compromised credentials.

“The site was scheduled for decommission a while back. Due to various reasons, it was decided to keep it up for a bit longer, but the date was set long before this event took place,” said Byron Rashed, senior director of marketing for InfoArmor, the company that acquired PwnedList in 2013. “The decommission date of the PwnedList site was to coincide with the release of the new corporate website which you will see up shortly, that decision took place when that project started around three months ago.”

Shortly after the flaw was fixed and details publicly disclosed by journalist Brian Krebs, visitors to PwnedList.com were greeted with a message informing them that the site will shut down May 16. Rashed said that the data accumulated by PwnedList will be integrated into fee-based service offerings.

The flaw, known as parameter tampering, was disclosed to Krebs by researcher Bob Hodges. Hodges told Threatpost that the issue was “very serious” and that an attacker who had access to the breached credential database owned by PwnedList could use that information to launch attacks.

“For example, say a malicious hacker wanted to gain access to a corporate email server. The attacker would pull up a report from PwnedList for that company’s domain which could contain 10,000-plus user credentials depending on the company’s size,” Hodges said. “The attacker would then use a script or utility to try and authenticate each set of credentials using the company’s public-facing email server. If one or more accounts successfully authenticate, the attacker gains a foothold. This is just one example, similar attacks could be used to access VPN appliances, web servers, etc.”

Hodges and InfoArmor’s Rashed clarified that the credential data gathered by PwnedList came from publicly available online data and does not include personally indentifiable information or unreleased credentials. No subscriber or corporate data was exposed, Rashed said.

Hodges explained that the vulnerability was in PwnedList’s watchlist feature, a list of credentials the subscriber wants PwnedList to monitor.

“When you submit an email address to the watchlist, you are presented with a confirmation page. As long as you’ve submitted a valid email address, you’ll find a hidden parameter called ‘identifierstoadd.’ That parameter contains the email address submitted and a number value. By intercepting the form POST request and changing the values, any domain could be added to the watchlist,” Hodges said. “Within 24 hours, a report will be generated listing all breached credentials or hashes for all users in the specified domain going back five or six years. As you can imagine, a report for a domain like gmail.com would be very large.”

Hodges said that prior to PwnedList’s fix, the service did not verify users’ email accounts.

“Pwnedlist has a ‘verified’ column on the watchlist, but they no longer confirm ownership of email addresses or domains. Back in 2013, they used to verify email addresses by sending a confirmation email to the address added to the watchlist, but this is no longer the case or email addresses or domains,” Hodges said, adding that exploiting this weakness was simple. “I used the intercept feature in the tool Burp Suite to capture, view, and modify the POST parameters, but it could have been done in many ways.”

InfoArmor said the issue was patched quickly before public disclosure of the issue, and said the attack scenario was not a common use of the service.

“This was not a major vulnerability, many sites have similar vulnerabilities and it is quite common. In fact, the patch was applied immediately and before the [Krebs] story broke,” Rashed said. “It has been thoroughly tested to ensure the issue was resolved. The process that was undertaken to ‘expose’ this vulnerability was fairly extensive, it was not easy to do or ever done before. We have no other subscriber who ever attempted to do this or added any domain to their own watch list.”

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.